What Do the CIA Vault 7 Leaks Mean for Your Business?

Vault 7, the WikiLeaks release of CIA cyber intelligence documents, has been one of the biggest news stories of the past month. Now that the dust has settled and the media hype has died down, we can finally go through the leaks in a rational way and understand their real world implications.

What Are the Vault 7 Leaks?

On March 7, WikiLeaks released 8,761 documents from the CIA’s Center for Cyber Intelligence (CCI). Although WikiLeaks did not name their source, the press release states that they believe the documents were being shared in an unauthorized manner by former government hackers.

The leaks contain information about the organization and their practices, including details on a range of the CCI’s hardware and software exploits. Julian Assange stated in a press conference that this is just 1% of the leak and that the rest will be published once the relevant vulnerabilities have been patched.

Key Revelations in the CIA Documents

With almost 9,000 pages in this release alone, it’s not practical to discuss every aspect of the CIA program in this article. The most important leaks include:

UMBRAGE

Hacking tools were collected and maintained under a CIA group called UMBRAGE. This branch of the CIA focused on forming a library of attack techniques that were originally developed by others, then repurposing them as tools that they could use in their own attacks. The WikiLeaks press release stated that this could help the CIA boost its total number of attacks and also mislead investigators as to who was responsible.

Listening In On Samsung Smart TVs

Code-named ‘Weeping Angel’, the CIA’s ability to listen in on Samsung Smart TVs was one of the biggest revelations when Vault 7 made the news. Fortunately, it’s not as bad as some reports made it out to be. ‘Weeping Angel’ allows the CIA to make the TVs seem like they are off, even though they are actually listening and recording audio. While this is worrying, the exploit only affects the Samsung F8000 series and it requires physical access for it to work.

Apple iOS

The leaks mention numerous flaws in iOS software, but a hasty release from Apple stated that many of the vulnerabilities had already been patched in the latest version.

Android

The documents also show a range of vulnerabilities across Android devices. Google made similar assurances within a few days. “We’ve reviewed the documents and we’re confident security updates and protections in both Chrome and Android already shield users from many of the alleged vulnerabilities,” said Heather Adkins, a Google spokesperson, in an interview with Wired.

While many of the flaws may have already been patched in the latest Android updates, the fragmentation of Google devices means that many users may still be insecure.

WhatsApp and Signal

The initial press release and subsequent tweets from WikiLeaks were ambiguously worded, which led to them being misinterpreted by much of the press. Many reports were claiming that the CIA had found a way to crack encrypted messaging services like WhatsApp and Signal. The reality is that these services are still secure–WikiLeaks was actually referring to the fact that the CIA is capable of compromising devices and intercepting messages through keyloggers and other means. This is a matter of device security that has nothing to do with the apps themselves.

Other Programs and Devices

The Vault 7 leaks included information for exploiting a wide range of software and hardware. The ones listed above are just a selection of the most interesting and controversial. Don’t assume that something is safe, just because it wasn’t covered here. The CIA documents also contain exploits for macOS, Windows, Linux, most major web browsers and a range of other technologies.

What Are the Repercussions of the Vault 7 Leaks?

Many people may have found these leaks alarming, especially because of all the media hype around the initial release. The reality is that there isn’t much in the leaks that wasn’t already known in the security industry. If anything, this news serves as a timely reminder for us to make sure that we are following security best practices–whether its to keep out the government or criminals.

The Vault 7 papers aren’t as shocking as the NSA leaks. Most of the exploits covered in these documents can only be used to target individuals, rather than the mass surveillance that was revealed by Edward Snowden. Many of the vulnerabilities have already been patched, while other exploits require physical access to the device.

As far as we can tell from the release, there aren’t really any groundbreaking tools in the CIA arsenal. Sure, many of their techniques are out of the scope of your everyday hacker, but this is expected of a well-funded and motivated state body. In a way, this release is just a confirmation of what many in the industry would expect a security agency is capable of.

Spying and warfare have been part of our world since early times. As we become more technologically capable, it is only natural that espionage agencies would gravitate towards using these means to their advantage. With talk of the DNC leaks by Russian hackers dominating the media over the past few months, we all know that governments are using technology to spy on people, so it is unreasonable to think that ours wouldn’t be doing the same.

As the CIA is an intelligence agency, it would almost be worrying if they weren’t using the kinds of tools in the leaks to intercept information. Whether you trust them to only use these techniques in a legal and ethical manner is a concern that is far outside the scope of this article.

One of the most alarming aspects of these leaks is that the CIA doesn’t have the capacity to keep their secrets safe. If these tools have leaked to WikiLeaks then they could also be in the wild, meaning that taxpayer funded cyber weapons could end up being used against citizens. If one of the most secure and secretive agencies in the country can’t keep their techniques safe, what does that say about about general data security practices in the government?

How Can You Keep Your Business Keep Safe?

The good thing about the Vault 7 news story is that it has brought information security to the forefront once more. The reality is that security is porous, and with enough time and money, almost anything can be compromised. Good security is about taking the necessary precautions to make breaches impractical and cost prohibitive. Organizations need to use this opportunity to reflect on their current security processes and make sure that they are following best practices.

Keep Everything Updated

Updates can certainly be annoying, but they are a critical part of security. When a new vulnerability is discovered, developers quickly run out a patch to keep their users secure. The sooner a user is running the latest version, the less time hackers have to exploit vulnerabilities.

Apple is renowned for patching security issues within a few days. Complexities in the Android environment make it more difficult for Google to provide security updates, which can leave many users vulnerable. You can read more about the security differences between the two in our article on BYOD security.

Someone Could Be Listening

As dystopian as it may seem, the technology that we all carry around in our pockets has the potential to be recording all of our communications. When it comes to discussing sensitive information, you need to recognize that any space you don’t have control over could be set up with a variety of monitoring devices.

These leaks are another reminder that the cameras and mics on our laptops, phones and other electronics can be used to spy on us. Putting tape over your device’s cameras when not in use can be a good habit to get into (but what do you do about their microphones)? This will ensure that they cannot be used to monitor your conversations.

Innovative technologies provide new ways for people to listen in on us. The prosecutor in an Arkansas murder case was seeking the recordings from an Amazon Echo smart speaker. Amazon rebuffed the prosecutor’s requests on first amendment grounds. Although the suspect granted access to the records under his own volition, the case shows that law enforcement are looking to all kinds of technology for evidence that can be used against us.

Scale Makes You a Target

When Macs weren’t very popular, they were rarely targeted in attacks. It was more lucrative for hackers to go after Windows. Exploiting vulnerabilities takes time and money, so attackers generally chase the biggest targets to get the most return on their investment. That’s why many exploits in the Vault 7 papers focused on Apple, Windows and Google technologies. Because of this, small, well-trusted vendors like LuxSci can often be more secure than tech giants.

Have a Strong BYOD and Device Security Policy

Bringing devices into the workplace comes with a range of security issues. Make it more difficult for attackers to penetrate your network by having a strong device security policy. This involves dictating which devices can be used as well as which apps can be installed. Your organization’s security processes need to incorporate encryption, as well as training against social engineering.

While the Vault 7 leaks may have seemed shocking, if you follow this advice and other security best practices, your organization is less likely to be compromised by any of these complicated exploits. A comprehensive security policy is the best deterrent against invasion, whether it is the CIA or a bored kid in a basement.